ClawHub

Adyen

Security checks across malware telemetry and agentic risk

Overview

This Adyen skill is not malicious, but it gives an agent broad payment-platform authority without enough built-in scoping or confirmation guidance.

Install only if you trust Membrane and intend to let an agent operate on Adyen data. Use a sandbox or least-privilege Adyen account where possible, require explicit confirmation before refunds, payment creation, deletes, or other account-changing requests, and revoke the Membrane connection when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The invocation description is overly broad ('Manage data, records, and automate workflows'), which can cause the skill to be selected for generic business-data tasks beyond a clearly intended Adyen/payment context. In a payments integration, over-selection increases the chance an agent uses powerful payment-related actions or proxy requests inappropriately when the user did not explicitly intend to operate on Adyen resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents a generic proxy capability that supports arbitrary HTTP methods, headers, and bodies against the Adyen API, but it does not warn that these requests can create, modify, refund, or otherwise affect payment-platform data. In a financial system, omission of confirmation and safety guidance around direct API access materially increases the risk of unintended destructive or high-impact actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal